Share this:

Ransomware skyrocketed in 2016, with the FBI reporting an average of 4,000 ransomware attacks per day — a 300-percent increase since 2015. This has been especially bad news for healthcare organizations, which have been hit hard by this type of cyberattack that works quickly to encrypt files and then holds them hostage until a ransom is paid.

Targeting hospitals has been lucrative for the cybercriminals behind these attacks. In a recent article security expert Brian Krebs highlighted the impact ransomware has had on the healthcare field: “According to a new report by Intel Security, the healthcare sector is experiencing over 20 data loss incidents per day related to ransomware attacks. The company said it identified almost $100,000 in payments from hospital ransomware victims to specific bitcoin accounts so far in 2016.”

In fact, a recent study shows that healthcare providers are 450 percent more likely to be hit by the type of ransomware known as CryptoWall than companies in other industries. According to the Ponemon Institute, ransomware, malware, and denial-of-service attacks are the top three cyber threats facing healthcare organizations in 2016, and criminal attacks are the leading cause of healthcare data breaches for the second year in a row.

Government gets serious about ransomware

Government authorities have started to respond to this growing trend. In March, the FBI issued a flash advisory about the MSIL/Samas.A strain of ransomware that was encrypting entire networks and seemed to be targeting healthcare organizations in particular. Then in July, the U.S. Department of Health and Human Services’ (HHS) Office of Civil Rights released new HIPAA guidance on ransomware to help healthcare organizations understand and respond to this type of threats.

“One of the biggest current threats to health information privacy is the serious compromise of the integrity and availability of data caused by malicious cyber-attacks on electronic health information systems, such as through ransomware,” Jocelyn Samuels, the director of the HHS Office for Civil Rights, wrote in a blog post about the new guidance.

New HIPAA guidance

The new guidance explains it this way: “When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.”

This means that when a ransomware attack occurs, the affected organization will need to meet HIPAA’s breach notification requirements, which in most cases includes filing a breach incident form with the HHS and notifying affected individuals — as well as the media if the breach affects more than 500 people.

One of our MSP partners strongly believes that customers need to have appropriate security and backup in place to protect against ransomware. In fact, any customer who declines this protection is asked to sign the quote as “declined,” and the MSP then keeps it on file in case something happens down the road.

How HIPAA compliance can help

The HIPAA ransomware fact sheet also outlines several ways the HIPAA Security Rule can help healthcare organizations prevent ransomware infections. These requirements include:

Having a security management process in place that includes doing risk analysis to identify threats and putting security measures in place to mitigate those risks

Following procedures to protect against and detect malware

Training users on best practices for avoiding malware, as well as how to recognize and report it

Implementing an overall contingency plan that includes a data backup, disaster recovery, and emergency operations planning

Conducting regular testing of contingency plans

Having security incident procedures in place covering how to respond to and report security incidents like a ransomware attack

Education and prevention

All of these best practices are critical components of protecting SMB customers from the growing threat of ransomware, whether your MSP works with healthcare customers or not. Education in particular is especially important. Unlike other types of cyberattacks that look for system or network vulnerabilities, ransomware prays on people who are uninformed and unaware.

A number of factors make hospitals and other healthcare organizations attractive targets for ransomware attacks:

Many are supporting older equipment that often runs on outdated operating systems

The critical and timely nature of the information they need to access to care for patients

“If you have patients, you are going to panic way quicker than if you are selling sheet metal,” Stu Sjouwerman, CEO of the security firm KnowBe4, said in an interview with Wired. He explained that another reason hospitals are a good target is because they focus more on training employees on HIPAA compliance for protecting patient privacy than on cybersecurity awareness.

So, the best thing you can do for your healthcare customers is make sure their employees know how to protect themselves from a ransomware attack by following cybersecurity best practices. The fact that security is now an important part of maintaining HIPAA compliance should be a good motivator for any customers that are reluctant to make it a priority.

Posted by Anne Campbell

As senior content strategist at Barracuda MSP, Anne Campbell finds new ways to use content to help managed service providers make their businesses more successful. She grew Intronis’ blog subscribers 532 percent in less than 18 months, winning the 2016 Content Marketing Award for Highest Subscriber Growth. Anne spent the first half of her career as a magazine and newspaper journalist, and she brings that editorial point of view to her work in content marketing.